Abstract:Watermarking is an essential technique for embedding an identifier (i.e., watermark message) within digital images to assert ownership and monitor unauthorized alterations. In face recognition systems, watermarking plays a pivotal role in ensuring data integrity and security. However, an adversary could potentially interfere with the watermarking process, significantly impairing recognition performance. We explore the interaction between watermarking and adversarial attacks on face recognition models. Our findings reveal that while watermarking or input-level perturbation alone may have a negligible effect on recognition accuracy, the combined effect of watermarking and perturbation can result in an adversarial watermarking attack, significantly degrading recognition performance. Specifically, we introduce a novel threat model, the adversarial watermarking attack, which remains stealthy in the absence of watermarking, allowing images to be correctly recognized initially. However, once watermarking is applied, the attack is activated, causing recognition failures. Our study reveals a previously unrecognized vulnerability: adversarial perturbations can exploit the watermark message to evade face recognition systems. Evaluated on the CASIA-WebFace dataset, our proposed adversarial watermarking attack reduces face matching accuracy by 67.2% with an $\ell_\infty$ norm-measured perturbation strength of ${2}/{255}$ and by 95.9% with a strength of ${4}/{255}$.

What problem does this paper attempt to address?

The problems that this paper attempts to solve are: **How does watermarking technology affect the adversarial robustness of face recognition systems, and whether adversarial attacks can use watermarks to further reduce the performance of face matching?** Specifically, the paper explores the interaction between watermarking technology and adversarial attacks in face recognition systems. Although the impact of a single watermark or input - level perturbation on recognition accuracy may be negligible, the combination of the two may lead to significant adversarial watermark attacks, thereby greatly reducing the performance of face recognition. The author introduces a new threat model - **adversarial watermark attack**, which remains hidden in the absence of a watermark but is activated after the application of a watermark, resulting in recognition failure. ### Main problem summary: 1. **Interaction between watermark and adversarial attack**: Research on the mutual influence between watermarking technology and adversarial attacks in face recognition systems. 2. **New threat model**: Propose a new threat model - adversarial watermark attack, which remains hidden without a watermark but is triggered after the application of a watermark, resulting in recognition failure. 3. **Experimental verification**: Verify the effectiveness of adversarial watermark attacks through experiments, especially the impact of watermarks on the performance of face recognition under different intensities of adversarial perturbations. ### Specific problem description: - **Role of watermark**: Watermarking technology is used to embed identification information (such as ownership claims) to ensure data integrity and security. - **Threat of adversarial attack**: Adversarial attacks deceive machine - learning models by introducing slight perturbations, which may lead to recognition errors. - **Joint effect**: The combination of watermark and adversarial attack may lead to new security vulnerabilities, resulting in a significant decline in the performance of face recognition systems. ### Core contributions of the paper: - Propose a face recognition test platform integrating watermarking technology. - Introduce a new adversarial watermark attack model, revealing key vulnerabilities in the watermarking process. - Prove through experiments that after the application of watermarks, small - scale adversarial perturbations can significantly reduce the accuracy of face matching. In short, this paper aims to reveal the potential risks of watermarking technology and adversarial attacks in face recognition systems and proposes new attack models to evaluate these risks.

Adversarial Watermarking for Face Recognition

A Watermarking Algorithm for Image Content Authentication in Double-Compression Environment

Attack on Cocktail Watermarking Based on High False Positive Probability

Warfare:Breaking the Watermark Protection of AI-Generated Content

Poster: Detecting Adversarial Examples Hidden under Watermark Perturbation via Usable Information Theory

Dual Defense: Adversarial, Traceable, and Invisible Robust Watermarking Against Face Swapping

Hide and Seek: How Does Watermarking Impact Face Recognition?

Double Privacy Guard: Robust Traceable Adversarial Watermarking against Face Recognition

DIP-Watermark: A Double Identity Protection Method Based on Robust Adversarial Watermark

Attacking Optical Character Recognition (OCR) Systems with Adversarial Watermarks

Elevating Defenses: Bridging Adversarial Training and Watermarking for Model Resilience

On Visible Adversarial Perturbations & Digital Watermarking

CMUA-Watermark: A Cross-Model Universal Adversarial Watermark for Combating Deepfakes

Robust Adversarial Watermark Defending Against GAN Synthesization Attack

Generating Image Adversarial Examples by Embedding Digital Watermarks

COUNTERFEITING ATTACKS ON TWO ROBUST WATERMARKING SCHEMES

Watermark Vaccine: Adversarial Attacks to Prevent Watermark Removal

Adversarial watermark: A robust and reliable watermark against removal

On Evaluating The Performance of Watermarked Machine-Generated Texts Under Adversarial Attacks

Robust Identity Perceptual Watermark Against Deepfake Face Swapping

Low-Mid Adversarial Perturbation against Unauthorized Face Recognition System